SQL Injection Hit

Blast! Today I was rudely interrupted by a SQL injection attack on our main public facing web server. When I arrived this morning at 7:30, I promptly overheard the help desk folks alerting us to the fact that when we visited our website (which happened to be the default home page on most of our enterprise PCs), users were experiencing a Symantec Anti-Virus popup saying that an attack had been stopped. We immediately took the site offline and popped up a nice “The web page is down” message on a new website and did the proper re-directions.

Our attention turned to what had actually caused the issue. This was complicated by the fact that the content is actually designed and maintained by an outside vendor and done in Cold Fusion. After tracking down the web server and examining the malicious code (thanks to the “NoScript” extention in Firefox) I found that the URL that was attempting to serve out the malware was down already. This was at least a little bit of good news. Upon searching the web and contacting the vendor, we ran across threads that suggested other Cold Fusion users were being hit by a similar attack. Apparently the attack was similar to the one that occured last Februrary, in which several hundred thousand pages appeared compromised. This attack is easily defeated by validating all input, and there is even a Cold Fusion parameter to do this that needed to be set.

The comic up top about sums up my feelings on the subject. By 3:40, the database had been cleaned of the malicious code and all necessary inputs had been flagged for validation. The matter wasn’t helped by the fact that this particular web server is still running Windows 2000 and a 4 year old version of Cold Fusion. When I mentioned this fact, management seemed gleeful at the prospect of upgrading to Server 2008 pending compatibility checks with ColdFusion.